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(54) NETWORK MONITOR EQUIPMENT 

(57)Abstract: 

PURPOSE: To provide a network monitor equipment in which 
the operating state of network application programs is 
monitored without giving effect onto traffic of the network and 
equipments making data communication. 
CONSTITUTION: A packet selection section 30 selects a 
desired packet among packets received by a packet reception 
section 10 and stored the packet to a packet storage section 
40. A protocol analysis section 50 analyzes the header of a 
data frame in the packet stored in the packet storage section 40 
and provides an output of the result of analysis and data of an 
application layer after the header. A data selection section 60 
estimates a data form and selects the data of the application 
layer based on the estimated data form and gives the data to a 
data extract section 70. The data extract section 70 extracts 
data required for monitoring from the received data and stores the data to an activity storage section 
80. 



LEGAL STATUS 

[Date of request for examination] 

[Date of sending the examiner's decision of 
rejection] 

[Kind of final disposal of application other than the 







7 


























' lf&.,. ' 







m 



50 



.7T-i- 



-70! 



80 



http://wwwl9.ipdl.ncipi.go.jp/PAl/result/detail/main/wAAAbba4JyDA407321783Pl.htm 



1/4/2005 



I 



S^arching.PAJ Page 2 of 2 ^ 

examiner's decision of rejection or application 
converted registration] 

[Date of final disposal for application] 

[Patent number] 

[Date of registration] 

[Number of appeal against examiner's decision of 
rejection] 

[Date of requesting appeal against examiner's 
decision of rejection] 

[Date of extinction of right] 

Copyright (C); 1998,2003 Japan Patent Office 



http://wwl9Jpdl.ncipi.gojp/PAl/result/detail/main/wAAAbba4J^ 



1/4/2005 



TRANSLATION 

Pat. OPIHEI 7-321783 

JAPANESE PATENT OFFICE 

OPI PATENT OFFICIAL GAZETTE 
Patent OPI No. HEI 7-321783 A 
Date of OPI: December 8, 1995 

Patent Application No. HEI 6-111515 

Date of Filing: May 25, 1994 

Inventor: Mineaki Yokoyama 

Applicant: Fuji Xerox K.K. 

Title of Invention: Network Monitoring Apparatus 

10 

Partial Tra nslation 



[0012] Figure 1 is a functional block diagram showing one embodiment of a 
network monitoring apparatus according to the present invention. 
[0013] In the figure, a packet receiving section 10, which is connected to a 
network, receives all packets (i.e., data frames)- transferred on the network, 
appends receive time to each received packet, and passes the packet to a time 
detecting section 20 as well as to a packet selecting section 30. The time 
detecting section 20 detects the receive time from the packet passed from the 
20 packet receive section 10. The packet selecting section 30 selects the packet 
based on data carried in a designated position in the received packet. A packet 
storing section 40 stores the packet selected by the packet selecting section 30, 
together with the receive time data supplied from the time detecting section 20. 
[0014] A protocol analyzing section 50 analyzes the protocol header contained in 
the packet stored in the packet storing section 40, extracts necessary protocol 
information along with the application data carried in the packet, and passes 
these pieces of data to a data selecting section 60. 

[0015] The necessary protocol information here refers, for example, to source 
address, destination address, etc., and the application data refers, for example, 
30 to data at layers higher than TCP (Transmission Control Protocol), that is, data 
from the session layer to the application layer. 

[0016] The data selecting section 60 analyzes the received application data, 
estimates the data format of the data, checks, based on the estimated data 
format, whether the data is data necessary for monitoring, and selects only the 



1 



TRANSLATION 

Pat. OPI HEI 7-321783 

necessary data. That is, based on knowledge about the application and 
inherent knowledge about the data necessary for its monitoring, the data format 
of the received application data is estimated, and it is checked to determine 
whether the data is the necessary data or not. Here, the data selecting section 
60 estimates whether the data is of the desired data format or not by checking 
through lexical analysis whether the data conforms to a specific grammar, and 
selects only the application data whose data format has been estimated to be the 
desired one. 

[0017] A data extracting section 70 extracts necessary data from the data 
10 selected by the data selecting section 60, the result of the protocol analysis, and 
the receive time data. 

[0018] An activity information storing section 80 stores the data extracted by 
the data extracting section 70. 

[0019] Next, a description will be given of the process for monitoring remote 
printing in a UNIX system. 

[0020] Remote printing in a UNIX system is performed by transferring data 
between Ipd daemons iif accordance with the TCP protocol. The data 
transferred here are a print control file and a print data file. The data of these 
files are sent following a message that contains a command byte followed by a 
20 file size and a file name. The transfer procedure is shown in Figure 2. 

[0021] The contents of the data transferred in the example of Figure 2 will be 
described below. 

[0022] [\002 printername \012] 

"\002 (2 in octal notation)" is a command byte indicating that the 
character string that follows is a printer name or a control file and its size. In 
the example shown, "printername" indicates that the command byte is followed 
by a character string describing the printer name. "\012 (012 in octal)" is 1- 
byte data indicating the end of the command. The statement here means that 
the destination printer is indicated by the character string that follows the 
30 command byte. 
[\000] 

"\000" is a command byte indicating a response. This means the 
reception of the command. 
[0023] [\003 size filename \012] 
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"\003" is a command byte indicating that the character string that follows is 
the size of the file transferred and the file name, "size" indicates that the 
command byte is followed by a digit string expressing the file size, and 
"filename" means that a character string describing the file name follows the file 
size with a space interposed therebetween. The meaning of "\012" is the same 
as that described above. 
[0024] [data \000] 

"data" indicates the actual data, and "\000" indicates the end of the data. 
[0025] [\002 size filename \012] 

This statement is for the case where the \002 command byte described 
above is followed by the name of the control file and its size. 
. [0026] As shown in Figure 2, the data transfer between the lpds described above 
is performed with respect to a virtually fixed port called the printer port. 
Further, since each command byte and the parameter that follows it are sent as 
one message unit, the command byte is located at the head of the data sent as a 
packet. 

[0027] As one example of the remote print monitoring, it is assumed here that 
the time that the transfer occurred, the size of the data file, the station that 
issued the remote print, and the station that received the remote print are 
monitored. 

[0028] With such preconditions in mind, the monitoring process will be 
described with reference to Figures 3 and 4. 

[0029] Figure 3 is a flow chart illustrating operations in the packet receiving 
and selecting process, and Figure 4 is a flow chart illustrating operations in the 
process for extracting the data necessary for the monitoring. 
[0030] First, the packet receiving and selecting process will be described. 
[0031] In Figure 3, the packet receiving section 10 determines whether the 
monitoring is completed or not (step 110); if it is not completed yet, the packet 
receiving section 10 receives one packet (step 120) and passes this packet to the 
packet selecting section 30. At the same time, the time detecting section 20 
detects the receive time of the packet that the packet receiving section 10 
received (step 130). 

[0032] The packet selecting section 30 determines whether the packet passed 
from the packet receiving section 10 is a TCP packet or not by checking whether 
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the packet is based on the TCP protocol format (step 140). If the packet is a 
TCP packet, then it is determined whether the packet is a packet destined for 
the printer port, based on the data carried in a designated position, i.e., the port 
number, in the packet passed from the packet receiving section 10 (step 150). 
[0033] If the packet is a packet destined for the printer port, the packet selecting 
section 30 stores the packet in the packet storing section 40. At the same time, 
the receive time data for that packet is also stored in the packet storing section 
40 by the time detecting section 20 (step 160). 

[0034] After carrying out the step 160, the process returns to the step 110 to 
10 repeat the process starting from the same step. 

[0035] If the answer is NO in the above step 140 or 150, the process returns to 
the step 110. If it is determined in the step 110 that the monitoring is 
completed, the process is terminated. 

[0036] Next, the process for extracting the data necessary for the monitoring 
will be described. 

[0037] In Figure 4, the protocol analyzing section 50 determines whether the 
monitoring is completed or not (step 210); if it is competed, the process is 
terminated, but if it is not completed yet, packet data for one packet is retrieved 
from the packet storing section 40 (step 220). The protocol analyzing section 50 
20 then analyzes the LLC (logic link control) and the IP (Internet Protocol) and 
TCP (Transmission Protocol) headers contained in the retrieved packet data 
(step 230), extracts the source and destination IP addresses and the data (i.e., 
the application data) based on the TCP protocol, and passes these extracted 
results to the data selecting section 60. At this time, the receive time data for 
that packet is also passed. 

[0038] The data selecting section 60 performs lexical analysis on the application 
data in the extracted results thus passed (step 240), and determines whether 
the data is constructed from a character string and a line feed code byte 
conforming to the rule "a byte of value\003, a digit string, a space, and a UNIX 
30 file name" (step 250). 

[0039] If the data satisfies the above condition, the data selecting section 60 
passes the data (application data) to the data extracting section 70, together 
with the receive time data and the source and destination IP addresses already 
received from the protocol analyzing section 50. 
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[0040] The data extracting section 70 extracts the file size data contained as a 
digit string in the data passed from the data selecting section 60 (step 260) and 
stores the file size data in the activity information storing section 80, together 
with the receive time data and the source and destination IP address data 
already received from the data selecting section 60 (step 270). 
[0041] After carrying out the step 270, the process returns to the step 210, to 
repeat the process starting from the same step. If the answer is NO in the step 
250, the process also returns to the step 210. 

[0042] As described above, according to the present embodiment, based on 
10 knowledge about a specific application and knowledge about information 
necessary for monitoring, in addition to the usual packet filtering, data 
necessary for monitoring of a network application can be efficiently collected. 
[0043] This achieves activity monitoring at the application level. 
[0044] Further, since only the necessary data is stored, the area for storing data 
can be reduced. 

[0045] On top of that, analysis can be done on a packet by packet basis, and 
there is no need for complex mechanisms such as segmentation and reassembly 
in IP and connection management in a connection oriented protocol. 
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